Help extending Reset Secure channel script
So, following on from the PDQ&A last week, I was quite interested in the Reset Secure channel script.
Obviously, it needs to be run as the local administrator, and its here I hit a problem. We run LAPS to randomize the local admin password frequently and store that in AD (If you're not already using it, it's well worth looking into - Totally free too).
Now, there's a powershell module for Laps, so it should be as simple as:
#Import the LAPS module
#Get LocalAdmin password of computer
$pwd = Get-AdmPwdPassword -ComputerName $ComputerName
That's going to retrieve the local admin password of the machine and allow us to use the $pwd variable in the reset secure channel script
Test-ComputerSecureChannel -Repair -Credential $pwd
PDQ is going to run all that from the client, which won't work.
What I need to do, is pass the computername Variable from PDQ to the script, run the first half ON the PDQ machine to retrieve the password, then pass the variable to the PDQ Deployment.
I think in your situation this needs to be a TOOL in PDQ Inventory (download the latest Beta 2 release!
Run the tool against the machine in question. This will give you the ability to get stuff from the local PDQ server, and pass things to the remote client. Or just bypass PDQ entirely and write a script and run it from the PDQ box and leverage Invoke-Command for all of your client side Test-ComputerSecureChannel calls.
LAPS is also being rolled out at my locations as well. The local admin password for each computer account is stored in the accounts attributes on Active Directory in clear text. So any Active Directory User account with access to read the computer account attribute in AD can read the local admin password. In order for deploy to run a package as the local administrator, it would need to retrieve the password from active directory before deploying the package to the machine. This is not something that we can setup currently for deployment credentials. It would need to be an option added to PDQ deploy. When adding new credential you would be able to set the password or tell it to use the LAPS password in active directory. This would need to happen just so that you could deploy anything to the machine (without your personal account or security group already in local administrators group)
If that feature is added, you can now deploy packages with the local admin account and LAPS password from active directory. However in your case you would like to pass the LAPS password to the script that runs on the client. I have not tested this but I'm thinking that you should be able to deploy the package with local admin (just to get the scripts pushed and running on the client) but then set the step that runs your script in options to run as your account witch has access to view LAPS passwords. The script would then pull the password and execute with the variable using your AD account to retrieve the password.
Please sign in to leave a comment.